Threat Actors Weaponizing RMM Tools to Take Control of The Machine and Steal Data

Cybercriminals are increasingly exploiting Remote Monitoring and Management (RMM) software to gain unauthorized access to corporate systems, with a sophisticated new attack campaign demonstrating how legitimate IT tools can become powerful weapons in the wrong hands.

This emerging threat leverages the inherent trust placed in RMM solutions, transforming essential administrative software into conduits for data theft and potential ransomware deployment.

The latest attack campaign employs a dual-RMM strategy that significantly enhances attacker persistence and control.

By deploying both Atera and Splashtop Streamer simultaneously, threat actors ensure continued access even if one RMM tool is discovered and removed by security teams.

This redundancy represents a concerning evolution in attack methodology, where cybercriminals prioritize maintaining long-term access over stealth.

The attack begins with a carefully crafted phishing email sent from compromised Microsoft 365 accounts to undisclosed recipient lists.

These messages impersonate Microsoft OneDrive notifications, complete with authentic-looking Word document icons and privacy footers to establish legitimacy.

The emails contain malicious links hosted on Discord’s Content Delivery Network (cdn.discordapp.com), exploiting the platform’s reputation as a trusted service to bypass initial security filters.

Sublime Security researchers identified this campaign through their AI-powered detection engine, which flagged multiple suspicious indicators including file extension manipulation and OneDrive impersonation tactics.

The researchers noted that the attack represents a significant escalation in RMM abuse, particularly due to its multi-tool approach and sophisticated social engineering components.

Infection Mechanism and Payload Deployment

The attack’s infection mechanism demonstrates advanced evasion techniques through file extension manipulation.

Victims receive links to what appears to be a .docx document but actually downloads a file named Scan_Document_xlsx.docx.msi.

This double extension technique exploits user expectations while hiding the executable nature of the payload.

Upon execution, the malicious MSI package initiates a multi-stage installation process. The Atera Agent installs through an attended process that requires user interaction, creating visible installation dialogs that appear legitimate.

Simultaneously, two silent installations occur in the background: Splashtop Streamer and Microsoft .NET Runtime 8.

These components download directly from their respective legitimate sources, generating network traffic that appears entirely benign to security monitoring systems.

The attack’s sophistication lies in its use of legitimate infrastructure for payload delivery. By downloading RMM components from official vendor websites rather than suspicious domains, the malware evades signature-based detection systems and network monitoring tools that typically flag downloads from known malicious sources.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial